Sulkta-OSS/aldabra
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
aldabra/aiken-escrow/README.md
Kayos 93f11ecef0 docs: rewrite for users — drop internal infra context 
README + supporting docs were written for ourselves (deployment paths,
internal product comparisons, internal task lists, build pipeline
artifacts) instead of for users of the software. This pass refocuses
them on what the software is, how to install, configure, and use it.

- README.md: full rewrite. New shape — What it does / Architecture /
  Build / Run / Configuration / MCP tools / Security model / Status /
  License / Dependencies. Drops the internal "why we built it"
  narrative, drops phase-status claims that drifted stale, drops
  internal deployment paths.
- ROADMAP.md: deleted. Was an internal task-list with [x]/[ ] items
  showing incremental private development. The README's Status
  section now communicates what's actually shipped.
- docs/architecture.md: scrub cross-project comparisons referencing
  unrelated internal Sulkta codebases.
- aiken-escrow/README.md: drop reference to a non-existent spec file;
  rewrite the Status checklist to reflect what's actually done
  rather than what was open at the time of writing.
- audits/2026-05-09-escrow-e2e.md: scrub internal image names +
  container paths; the audit findings (chain hashes, validator hash,
  what each tx proved) are the public-useful part and stay.
- audits/2026-05-09-escrow-internal-audit.md: drop references to
  feature-flag-gated branches that no longer exist.
- Dockerfile: drop the dead `escrow_wip surface` phrase from comments.
- Cargo.toml: drop the cross-project comparison comment that named
  an unrelated internal service.
- crates/aldabra-{core,dao}: scrub internal preprod-test naming from
  source comments — same technical content, generic phrasing.
2026-05-10 20:56:25 -07:00

65 lines
2.9 KiB
Markdown
Raw Blame History

# aiken-escrow
> ⚠️ **UNAUDITED.** No third-party security review has been performed.
> Internal review only. Treat as use-at-own-risk for high-value flows
> until external audit lands.
Two-party agreement-with-veto escrow validator (Plutus V3, Aiken
v1.1.21). The off-chain (Rust) side lives in `crates/aldabra-dao` and
is wired into the MCP tool surface via `aldabra-mcp`.
## State machine
```
Open ──(both sign Agree)──▶ Agreed{at} ──(lock_period elapsed, no veto)──▶ Settle (→ recipient)
│ │
│ └──(A or B fires Veto)─────────────▶ Refund (per-contributor)
└──(open_deadline passed, no agreement)─────────────────────────▶ Refund (per-contributor)
```
## Build
```bash
cd aiken-escrow
aiken check # type check + tests
aiken build # produces plutus.json blueprint
```
The blueprint at `plutus.json` is consumed by aldabra's escrow builders
to construct script addresses + spending witnesses.
## Threat model — known gaps (out-of-scope for v1)
These are KNOWN gaps the validator does not protect against:
- **Datum CBOR canonicality.** The Deposit redeemer compares
`cbor.serialise(expected) == cbor.serialise(new.deposits)`. If the
Aiken stdlib's CBOR encoder is non-canonical for any input shape
(e.g. map ordering), an attacker could submit a continuing output
with the same logical content but byte-different and bypass the
check. Mitigated by using `List<Deposit>` (not Map) which has
deterministic order, but external review should re-confirm.
- **Stake credential preservation on refund outputs.** Refund outputs
are derived from contributor PKHs as null-stake base addresses. If a
contributor's wallet uses a custom stake credential, refund value
bypasses their stake-delegation pool. Acceptable v1 tradeoff.
- **Min-utxo per refund leg.** Validator does not enforce min-utxo
per refund output — assumes the off-chain builder has already
ensured each deposit cleared min-utxo at deposit time. A pathological
multi-asset deposit that splits below min-utxo on refund would brick
the escrow until manual recovery.
- **Multi-script-input attack.** If a single tx spends multiple escrow
UTxOs simultaneously with overlapping signers, the per-UTxO
validator runs independently. Cross-UTxO consistency is not enforced.
## Status
- Validator compiles cleanly (`aiken build` produces `plutus.json`).
- Off-chain codecs in `aldabra-dao::agora::escrow`.
- Off-chain unsigned-tx builders for all 6 paths (open / deposit /
agree / veto / settle / refund-timeout) implemented + unit-tested.
- MCP tool wrappers exposed under `escrow_*` prefix.
- Lifecycle paths exercised end-to-end on preprod (settle / veto /
refund-timeout) — findings in `audits/`.
- **Outstanding:** external third-party audit before mainnet release.
Reference in a new issue View git blame Copy permalink